
SOURCING THE MALWARE 


The developer (from Orenburg, Russia) worked wii 
coders to create GozNym, a sophisticated piece o 
malware to steal online banking credentials from 
victims' computers. 


The leader of the criminal network (from 
Tbilisi, Georgia) leased access to the 
malware from a developer. 


RECRUITING ACCOMPLICES 


The leader recruited other cybercriminals with 
specialised skills and services which they 
advertised on underground, Russian-speaking 


COVERING THEIR TRACKS 


Kazakhstan) worked with ’crypters' (including 
one in Balti, Moldova) to crypt the malware so 
antivirus software would not detect it on the 
victims’ computers. 


DISTRIBUTION AND INFECTION 


Spammers (including one in Moscow, Russia) 


thousands of potential victims. 


The emails 
legitimate I 


nd contained 


When clicked, the victims' computer was redirected to a malicious di 
on a server hosting a GozNym executable file. This file downloaded 
GozNym onto the victims’ computers. 


BULLETPROOF HOSTING 


The Avalanche bulletproof hosting service (with its 
administrator in Poltava. Ukraine) registered the 
malicious domains contained in the phishing emails 
sent to victims and hosted the GozNym executable file 
on its servers. 


After GozNym 
stole victims’ 
online banking 
information, it w< 
sent to a central 
access panel. 


Once infected, sensitive information from victims’ 
computers was passed to the GozNym conspirators 
through a complex layer of servers designed to prevent 
detection by law enforcement and cybersecurity experts. 


TAKING CONTROL OF ACCOUNTS 


Account takeover specialists (including one in 
Varna, Bulgaria) and a second in Khmelnytskyi, 
Ukraine (originally from Kazan, Russia), accessed 
the panel to gain unauthorised access to victims' 
online bank accounts from which they initiated 
electronic transfers of funds. 


CASHING OUT 


Sophisticated money launderers, known as cash-outs or drop masters, 
(including those in Stavropol, Russia; Volograd, Russia; and Nikolaev, 
Ukraine) provided bank accounts to receive victims' stolen funds. 


The funds were then 
accounts or withdraw 
from banks or ATMs. 


i by money mules directly 


The stolen funds were then distributed 
to the members of the network. 
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